Skillset

Introduction

The year is closing and it’s time for prediction of the evolution of the security landscape in 2014. It’s easy to predict an increase in the volume of cyber attacks made by cyber criminals and state-sponsored actors, so I decided to hazard a series of controversial predictions based on the observation of current events.

US intelligence on the rise – NSA 2.0

The recent revelations based on the documents leaked by former Intelligence consultant Edward Snowden will have serious repercussions on US intelligence agencies. The internal structure of the overall US Secret Services is destined to radically change, modifying in a meaningful way the politics of the intelligence agencies.

A growing number of cyber experts will take the lead of the US Intelligence Agency. The way to conduct intelligence operations is radically changed, and this will have a great impact on the internal organigram. NSA and similar agencies will reserve resources and assets to cyber operations. The change will be relatively quick and will involve the entire American Defense and the upper echelons of Government.

NSA 2.0 will have to radically change its cyber strategy; the architectures and methods described by Snowden quickly became prehistory, the element of surprise is gone from which agencies like the FBI and NSA have benefited for years, the “cyber dispute” is in a crucial evolutionary phase, attack and defense are aware of the threats and are intent for the development of new sophisticated techniques.

Cyber weapons in the wild

Cyber weapons are the essential component of information warfare. The definition of a new generation of cyber tools and software will compromise enemy networks and infrastructure in cyberspace.

The lack of a shared law framework that regulates the use of cyber weapons and that establishes the legal and political responsibility of the attacker is an incentive to operate on the borderline. Governments will continue the developments of new sophisticated cyber tools to offend foreign governments, moving the attack into cyberspace. The relatively low investments for the designing of a cyber weapon or the re-engineering of the code of an existing one will attract also many other actors into the new global information cyber arena.

The cyber weapons are stealthy and during the next year it is likely that principal security firms will find evidences of their ongoing activities. It is an asymmetric conflict that could escalate with a clamorous incident at a critical infrastructure.

The Zero-day market will literally explode, and a growing number of companies will specify their business in the research of unknown vulnerabilities. This is the big business of the next years: the knowledge of uncovered flaws that private entities will secretly sell to the highest bidder.

In the case of conflict in critical areas such as Syria or Korea, the use of cyber weapons will be complementary to conventional weapons for offensive operations and the destruction of enemy defense infrastructures.

Tor Network, cybercrime and law enforcement

In the next months, the number of Tor network users will be stabilized, and the popular network will be mainly used by cybercriminals and whistleblowers. The cybercrime will use the popular anonymizing network mainly to try to strengthen their malicious botnet hiding command and controls within the Tor network. No meaningful changes will be observed in the activities of commercialization of odds like drugs and weapons; the volume of sale will remain constant.

The real novelty will be the creation of a growing number of services for social purposes, primarily for the reporting of illegal activities or abuse.

On the other side, law enforcement to fight cybercrime will increase the activities of infiltration of the anonymizing networks. In the case of the Tor network, the authorities will sustain the creation of new hidden services with a primary purpose to track Tor users and to create “honeypots” to monitor illegal activities.

Internet of things malware explosion

The number of smart connected devices is exploding; principal researchers agree that in a few years the number of “Intelligence Things” will exceed ten billion units. Harbor Research estimated that Smart Connected Devices will reach 13.5 Billion in 2016 and it is an estimate that needs to be revised upward.

It is an impressive amount of devices, more or less complex, that could be the victim of cyber attacks due the lack of defensive mechanisms. Cybercriminals will look with a greater interest to this growing industry. In particular, malware authors will work to the creation of new malicious code to automatically infect millions of devices to recruit as member of botnets to conduct other illegal activities.

Malware specifically designed for “Internet of Things” will become even more complex and multiplatform, able to infect Intel x86-powered Linux devices and many other architectures including ARM, PPC, MIPS and MIPSEL.

The technology has reached an impressive level of penetration. Many objects around us have hidden operating systems, they are always online and run a multitude of applications. It’s necessary to ensure a proper level of security to the contexts that host them. Smart devices must be continuously patched and updated during their life cycle, and this is not always possible due a series of technical issues.

On the other side, device manufacturers will start to produce a new generation of smart devices that includes the implementation of basic security requirements by design. It is a great challenge also for the security industry to produce new solutions to protect the intelligent things that surround us.

The recent events revealed by documents leaked by Snowden show a concerning IT scenario: every actor tries to spy-on allies and opposites. Since now the majority of cyber espionage activities are conducted using sophisticated malware able to silently infiltrate targeted networks, the level of attention on cyber threats is the highest and every government has included in its cyber strategy a series of countermeasures to avoid espionage.

One of the most interesting perspectives for cyber espionage is the introduction of an undetectable hardware backdoor inside appliances and large consumer devices directly in the production phases.

Deliberate flaws could be introduced at different levels of production with different effects on compromised devices. Hardware backdoors could be used to substitute a component within an electronic device or it could be implemented adding a supplementary circuit. Both methods are functionally efficient, but aren’t feasible due to the difficulty of hiding hacks upon careful inspection.

The manipulation of dopant chemical elements is the method that in my opinion will be adopted for the definition of a new generation of hardware backdoor that could be tested in the next months. For the identification of such backdoors, a careful analysis is needed of the hardware during acquisition and qualification phases of the supply chain.

IT researchers worldwide will be able to provide new methods for designing hardware backdoors, for example operating at dopant-level and introducing hardware Trojans.

Researchers demonstrated how to modify a circuit, introducing hardware Trojans able to elude detection. This is the reality of the backdoors implemented at the gate level. That’s done by hanging the dopant polarity of existing transistors, instead of introducing supplementary hardware.

In the past, research has been conducted without successfully altering the behavior of hardware by changing the concentration of dopant element. Now, researchers have changed polarity with a specific foundry setting. The method has been already tested in Intel’s random number generator design used in Ivy Bridge processors, as well as in a side-channel resistant SBox implementation. Someone could probably start testing the backdoor for commercial products soon.

User Controlled Encryption explosion

Internet surveillance is the greatest fear of netizens. In the upcoming months, numerous service providers will launch solutions and services to avoid censorship and Internet monitoring.

The services will allow users to control encryption processes in a transparent way: the users will be the unique manager for their encryption keys with the dual advantage that users will not doubt the encryption management operated by providers, and service providers will not be liable for content posted by users.

In the User Controls Encryption (UCE) scheme, the user holds the encryption key, the service providers hold the “encrypted” files, and the service managers themselves cannot access the files, nor can hackers gain access.

Is encryption really the panacea for user privacy? Maybe not!

Hackers will increase pressure on consultants and subcontractors

In 2014 I believe that the number of attacks against subcontractors and consultants will increase with a concerning trend. These categories of professionals represent in the majority of cases the weakest link in the information chain.

The vulnerabilities in the information management are usually related to the way those entities manage sensitive data targeted by hackers, but in many cases the flaws are present in the way the contracting authority and subcontractors/ consultants exchange information.

The attack techniques are becoming even more sophisticated. Watering hole attacks and spear phishing are the most common techniques of attack for targeted offensives, and their frequency is destined to grow. Consultants, contractors, vendors and other entities typically share sensitive information with the large corporate and government entities. This consideration makes them a privileged target for hackers.

It is also expected that a growing number of large enterprises will review their security policies to better approach the possible cyber threats and to promptly respond in case of incident.

A major cyber attack may happen

Principal security firms daily detect new cyber attacks, more or less complex. The intensification of cyber operations could be the cause of a serious data breach, or worse, of an incident to critical infrastructure.

Despite that I consider profit-motivated cyber attacks the principal cyber threats, it is reasonable to believe that a major attack could be conducted by a state-sponsored actor.

Critical infrastructure is a privileged target and a serious attack could have serious repercussions on homeland security of a country. Electric grids and more general infrastructures belonging the energy industry are an easy target for state-sponsored hackers that could target control systems or internal networks with specifically designed malware.

The attack may not directly harm the population, but a major data breach could cause the disclosure of sensitive information that could harm national security. It is to predict that the attribution of responsibility for the attacks will still remain a principal problem, especially for the announced major cyber attack.

Bitcoin … lights and shadows

The peaks of the Bitcoin value reached in these weeks are a strong motivation for malware authors to develop new malicious codes capable of stealing Bitcoin wallets from the victims or abuse of their resources for mining activities. We will see in the first months of the year an explosion of malware with these purposes. An increasing number of exploit kits sold in the underground will include these capabilities.

But does it really make sense to run this popular virtual currency? Should we expect a collapse?

Despite Bitcoin becoming a valuable currency as legitimate businesses and various markets are starting to accept it, actual value respects the robustness of the currency.

The recent price surge, supposedly driven by Chinese investment in the Bitcoin, may vanish as a classic bubble. A crash is a further risk for Bitcoin owners.

Gaming between cyber espionage and cyber threat monitoring

Governments have been working for years on projects that enable them to exploit the gaming platforms for surveillance purposes on a large scale. In the next months many special projects specifically oriented to the exploitation of gaming console to track users in the cyberspace, and monitor the online habits and sentiments of the entire population, will become operative. Gaming console are powerful tools to spy on their owners and on the environment that surround them, they could be used to infiltrate domestic networks and to serve any kind of malicious code within targeted networks.

The real innovation could be represented by an innovative use of those powerful platforms. According to several colleagues, some governments are working on the definition of programs for the realization of an alerting and probing network based on a gaming console. The computational capabilities of these consoles, once online, could be used to watch over the Internet to detect and monitor anomalous events that could represent an indication of ongoing malicious activities. Cybercrime, cyber terrorism and state-sponsored operations could be also be monitored, analyzing a series of network activities and indicators thanks to the use of gaming platforms.

Too easy to predict

I have written this post with the specific intent to speak on possible trends in the security landscape for the incoming year. The predictions I made are not so ordinary because principal security firms have the privilege to introduce classic topics highlighting the principal evolution of most common cyber threats. I decided to close the article with “easy predictions” on the cyber security scenario in 2014.

The number of malware will continue to increase despite the great effort of principal security firms. Cloud computing, mobile and social networking will be the areas with greatest increments for malware volume.

Cybercrime will intensify its actions, in particular thanks to the model of sale known as “malware-as-a-service”: a growing number of non-professional cyber criminals will be attracted by the possibility to easily monetize their efforts with illegal cyber activities.

It is easy to predict also a surge in the number of state-sponsored hacking campaigns, despite their attribution will remain impossible, fortunately on the other side principal governments are working on the definition of a national cyber strategy to preserve critical infrastructure.

Java will remain highly exploitable and a highly exploited platform, the principal cause of the incident will be that a huge quantity of the victim’s system will continue to run older versions of the popular framework. A growing number of exploit kits will be sold on the black market to automatically compromise vulnerable systems based on Java applications.

Also in 2014, activism remains a primary cyber threat with abilities to compromise the security of any target, from large enterprises to government agencies.

Pierluigi Paganini is Chief Information Security Officer at Bit4Id, firm leader in identity management, member of the ENISA (European Union Agency for Network and Information Security)Treat Landscape Stakeholder Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at Cyber Defense magazine, Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to create the blog "Security Affairs," recently named a Top National Security Resource for US.
Pierluigi is a member of the The Hacker News team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News magazine and for many other security magazines. He is the author of the books The Deep Dark Web and Digital Virtual Currency and Bitcoin.

InfoSec by the numbers:
– Microsoft samples suggest that 0.61% of its systems were compromised in the first half of 2013.
– Attacks rates are still proportional to the number of computers.
0.132% +/- .004% Attacks/yr per Enterprise Seat; Derived from Ponemon’s Cost of Cyber Crime data.
– Life time rate of Identity Theft for Californians 5.31%
– Rate of Identity Theft in breached Records 22.5%.
– Average fraud loss reported to the FBI in 2012 across all 50 states. $1745
– If Microsoft announces cures to 300 Known Vulnerabilities per year and patches take 2 years to produce,
then there are 600 unannounced vulnerabilities at any one time. Further, if the useful life of a system
is 5 years, a new system has 1,500 undocumented vulnerabilities, 900 will have a patch released
and 5.49 of these vulnerabilities will likely be exploited at least once.

Most Interesting to me; there appears to be a greater supply of vulnerable systems than demand by attackers.
Estimated time to expensively exploit a compromised computer. (Assuming 1 computer per Enterprise Seat.)

We have an inventory of exploited systems 0.61% that are resulting in acknowledged attack losses only 1 out of 4 times. This either means that 3/4 of exploited systems are undetected Advanced Persistent Threats; or, Automated attacks are so easy, that it may take such scripts 4.6 years to find the first lock an load exploit on an average system.

Deeper still:
Suppose My new PC has 1,500 unknown vulnerabilities on the day I purchased it.
– I should expect 1.98 expensive attacks over that system life time.
– 40% of the vulnerabilities on my system had not yet be announced to have a solution.
– 3.66 of the 9.15 exploits of my system were not yet visible to the Microsoft Malicious Software Removal tool.

I think at watching the state of disorganization of attackers is more like playing fantasy football. If the real questions are about prevention, detection and response, there is a lot more to do in OS and Applications Security left to do.

To be 95% sure that I can live to 85 years old and not have my medical privacy breached, we can only afford a system vulnerability rate of 0.0603%/yr. At 0.61%/yr, Microsoft systems are 10.1 times more vulnerable that we need them to be.
–

How can user “control encryption processes in a transparent way” unless they have a way to (have people they trust) transparently verify every hw & sw component running at any given time at end-points and the manufacturing processes of most sensitive hw components?!

About InfoSec

InfoSec Institute is the best source for high quality information security training. We have been training Information Security and IT Professionals since 1998 with a diverse lineup of relevant training courses. In the past 16 years, over 50,000 individuals have trusted InfoSec Institute for their professional development needs!

Join our newsletter

File download

First Name

Last Name

Work Phone Number

Work Email Address

Job Title

How will you fund your training?

Why Take This Training?

What is your timeline for training?

InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing. We will never sell your information to third parties. You will not be spammed.

Comments

What is Skillset?

Skillset

Practice tests & assessments.

Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test. Along your journey to exam readiness, we will:

1. Determine which required skills your knowledge is sufficient
2. Which required skills you need to work on
3. Recommend specific skills to practice on next
4. Track your progress towards a certification exam